IN THE CLAIMS: 

Claims 1, 6, 14, 17-18, and 24 are amended herein. Claims 20-23 are canceled. All 
pending claims are produced below. 



1 . (Currently Amended) A computer-implemented method for determining 
whether computer code contains malicious code, said method comprising the steps of: 

identifying computer code suspected of currently containing malicious code; 
optimizing the identified computer code to produce optimized code; and 
subjecting the optimized code to a malicious code detection protocol ; and 
responsive to the malicious code detection protocol detecting malicious code 

in the optimized code, declaring a confirmation that the computer code 

contains malicious code. 

2. (Original) The method of claim 1 wherein the malicious code detection 
protocol is a protocol from the group of protocols consisting of pattern matching, emulation, 
checksumming, heuristics, tracing, X-raying, and algorithmic scanning. 

3. (Original) The method of claim 1 wherein the optimizing step comprises 
performing at least one technique from the group of techniques consisting of constant 
folding, copy propagation, non-obvious dead code elimination, code motion, peephole 
optimization, abstract interpretation, instruction specialization, and control flow graph 
reduction. 

4. (Original) The method of claim 3 wherein at least two of said techniques are 
combined synergistically. 
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5. (Original) The method of claim 1 wherein the computer code is polymorphic 
code comprising a decryption loop and a body; and 

the optimizing step comprises optimizing just the decryption loop. 

6. (Currently Amended) A computer-implemented method for determining 
whether computer code having a decryption loop and a body contains malicious code, said 
method comprising the steps of: 

identifying computer code suspected of currently containing malicious code, 
the computer code having a decryption loop and a body; 

optimizing the decryption loop to produce optimized loop code; 

performing a malicious code detection procedure on the optimized loop code; 

optimizing the body to produce optimized body code; and 

subjecting the optimized body code to a malicious code detection protocol^ 
and 

responsive to the malicious code detection procedure dctcctinu malicious code 
in the optimized loop code or the malicious code detection protocol 
detecting malicious code in the optimized body code, declaring a 
confirmation that the computer code contains malicious code. 

7. (Original) The method of claim 6 wherein the malicious code detection 
procedure is a procedure from the group of procedures consisting of pattern matching, 
emulation, checksumming, heuristics, tracing, and algorithmic scanning. 

8. (Original) The method of claim 6 wherein the malicious code detection 
protocol is a protocol from the group of protocols consisting of pattern matching, emulation, 
checksumming, heuristics, tracing, X-raying, and algorithmic scanning. 
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9. (Original) The method of claim 6 wherein the step of optimizing the body 
comprises using at least one output from the group of steps consisting of optimizing the 
decryption loop and performing a malicious code detection procedure on the optimized loop 
code. 

10. (Original) The method of claim 6 wherein, when the step of performing a 
malicious code detection procedure on the optimized loop code indicates the presence of 
malicious code in the computer code, the steps of optimizing the body and subjecting the 
optimized body code to a malicious code detection protocol are aborted. 

1 1 . (Original) The method of claim 6 further comprising the additional step of, 
after the step of performing a malicious code detection procedure on the optimized loop 
code, revealing an encrypted body. 

12. (Original) The method of claim 1 1 wherein the step of revealing an 
encrypted body comprises emulating the optimized loop code. 

13. (Original) The method of claim 1 1 wherein the step of revealing an encrypted 
body comprises applying a key gleaned from the optimized loop code. 

14. (Currently Amended) The method of claim 1 , wherein optimizing the 
computer code to produce optimized code comprises: A method for optimizing computer 
code that is suspected of containing malicious code, said method comprising the stops of: 

performing a forward pass operation; 
performing a backward pass operation; 
performing a control flow graph reduction; and 
iterating the above three steps a plurality of times. 
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15. (Original) The method of claim 14 wherein the iteration of the three steps 
stops after either: 

a preselected number of iterations; or 

observing that no optimizations of the computer code were performed in the 
most recent iteration. 

16. (Original) The method of claim 14 further comprising the step of performing 
a code motion procedure, wherein the four steps are iterated a plurality of times. 

17. (Currently Amended) The method of claim 14 wherein the forward pass 
operation comprises at least one of the following steps one or more steps from the set 
consisting of : 

peephole optimization; 
constant folding; 
copy propagation; 

forward computations related to abstract interpretation; and 
instruction specialization. 

18. (Currently Amended) The method of claim 14 wherein the backward pass 
operation comprises at least one of the stops of one or more steps from the set consisting of 
backward computations related to abstract interpretation and local dead code elimination. 

19. (Original) The method of claim 18 wherein the backward pass operation 
comprises the additional step of global dead code elimination. 

20-23. (Canceled) 
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24. (Currently Amended) A computer-readable storage medium containing 
executable computer program instructions for determining whether computer code contains 
malicious code, said computer program instructions performing the steps of: 

identifying computer code suspected of currently containing malicious code; 
optimizing the identified computer code to produce optimized code; and 
subjecting the optimized code to a malicious code detection protocol ; and 
responsive to the malicious code detection protocol detecting malicious code 

in the optimized code, declaring a confirmation that the computer code 

contains malicious code. 

25. (Original) The computer-readable medium of claim 24 wherein the malicious 
code detection protocol is a protocol from the group of protocols consisting of pattern 
matching, emulation, checksumming, heuristics, tracing, X-raying, and algorithmic scanning. 

26. (Original) The computer-readable medium of claim 24 wherein the 
optimizing step comprises performing at least one technique from the group of techniques 
consisting of constant folding, copy propagation, non-obvious dead code elimination, code 
motion, peephole optimization, abstract interpretation, instruction specialization, and control 
flow graph reduction. 

27. (Original) A method for determining whether computer code contains 
malicious code, said method comprising the steps of: 

performing a dead code elimination procedure on the computer code; 
noting the amount of dead code eliminated during the dead code elimination 
procedure; and 
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when the amount of dead code eliminated during the dead code elimination 
procedure exceeds a preselected dead code threshold, declaring a 
suspicion of malicious code in the computer code. 
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